Create a specific repo for sssd role.

This commit is contained in:
Jeremy Gardais 2017-07-18 14:23:07 +02:00
commit eccbc254fe
6 changed files with 216 additions and 0 deletions

75
README.md Normal file
View File

@ -0,0 +1,75 @@
# SSSD
1. [Overview](#overview)
2. [Role Variables](#role-variables)
* [OS Specific Variables](#os-specific-variables)
3. [Example Playbook](#example-playbook)
4. [Configuration](#configuration)
5. [License](#license)
6. [Author Information](#author-information)
## Overview
Manage LDAP authentication with **SSSD** (System Security Services Daemon).
Highly inspired by [Lae's system_ldap role][lae sssd galaxy] with minors updates (test only on Debian 9 and maybe on OpenSuse).
## Role Variables
* **sssd_pkg_state**: State of new sssd packages [default: `latest`].
* **sssd_conf_manage**: If SSSD configuration should be managed with this role [default: `true`].
* **sssd_main_conf_path**: Path to set main SSSD's configuration [default: `/etc/sssd/sssd.conf`].
* **sssd_main_conf_tpl**: Template used to generate the previous config file [default: `etc/sssd/sssd.conf.j2`].
* **sssd_mkhomedir**: If home directories should be created at login [default: `true`].
* **sssd_home_path**: Path where home directories are stored [default: `/home`].
* **sssd_service_name**: SSSD's service name [default: `sssd`].
### OS Specific Variables
Please see default value by Operating System file in `vars/` directory.
* **sssd_pkg_list**: The list of packages to install to provide `sssd`.
## Example Playbook
* Use defaults vars:
``` yml
- hosts: serverXYZ
roles:
- role: ipr.sssd
```
* With a `group_vars/serverxyz.yml` file:
``` yml
sssd_domain: 'dotld'
sssd_uris:
- ldap://ldap.domain.tld
sssd_search_base: 'ou=People,dc=domain,dc=tld
sssd_bind_dn: 'cn=sssd_user,ou=apps,dc=domain,dc=tld'
```
* Then you also need to enter the `bind_dn_password` on the remote host (`/etc/sssd/conf.d/sssd_domain.conf`|`/etc/sssd/conf.d/dotld.conf`).
## Configuration
This role will:
* Install needed packages to provide `sssd`.
* Manage the default `sssd` configuration file (`/etc/sssd/sssd.conf`).
* Create an additionnal configuration file to only store the bind_password (`/etc/sssd/conf.d/domain.bind.conf`).
* Manage `sssd` service.
## License
[WTFPL][wtfpl website]
## Author Information
Jérémy Gardais
* Source: …
* [IPR][ipr website] (Institut de Physique de Rennes)
[wtfpl website]: http://www.wtfpl.net/about/
[ipr website]: https://ipr.univ-rennes1.fr/
[lae sssd galaxy]: https://galaxy.ansible.com/lae/system_ldap/

22
defaults/main.yml Normal file
View File

@ -0,0 +1,22 @@
---
# Package
sssd_pkg_state: 'latest'
# Configuration
sssd_conf_manage: true
sssd_main_conf_path: '/etc/sssd/sssd.conf'
sssd_main_conf_tpl: 'etc/sssd/sssd.conf.j2'
sssd_mkhomedir: true
sssd_home_path: '/home/'
# LDAP info
sssd_domain: ''
sssd_schema: 'rfc2307bis'
sssd_uris: []
sssd_search_base: ''
sssd_bind_dn: ''
sssd_bind_password: ''
# Service
sssd_service_name: 'sssd'

6
handlers/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
# Handlers file for ipr.sssd
- name: restart sssd
service:
name: '{{ sssd_service_name }}'
state: restarted

53
tasks/main.yml Normal file
View File

@ -0,0 +1,53 @@
---
# tasks file for ansible-role-sssd
- name: Load specific OS vars
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
- "{{ ansible_distribution|lower }}.yml"
- "{{ ansible_os_family|lower }}.yml"
# Packages
- name: Install sssd
package:
name: "{{ item }}"
state: "{{ sssd_pkg_state }}"
with_items: "{{ sssd_pkg_list }}"
# Configuration file
- name: CONFIG sssd.conf
template:
src: "{{ sssd_main_conf_tpl }}"
dest: "{{ sssd_main_conf_path }}"
mode: 0600
owner: root
group: root
backup: true
when: sssd_conf_manage
notify:
- restart sssd
- name: "CONFIG conf.d/{{ sssd_domain }}.conf"
blockinfile:
state: present
create: yes
mode: 0600
owner: root
group: root
insertbefore: BOF
dest: "/etc/sssd/conf.d/{{ sssd_domain }}.conf"
content: |
[domain/{{ sssd_domain }}]
#ldap_default_authtok = password for {{ sssd_bind_dn }} after END BLOCK
when: sssd_conf_manage
notify:
- restart sssd
- name: Ensure home directories are created upon login with pam
lineinfile:
dest: /etc/pam.d/common-account
regexp: 'pam_mkhomedir\.so'
line: "session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ silent"
state: present
when: sssd_mkhomedir

View File

@ -0,0 +1,56 @@
# {{ ansible_managed }} }
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = {{ sssd_domain }}
[domain/{{ sssd_domain }}]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
#access_provider = ldap
autofs_provider = ldap
{# connection configuration #}
ldap_schema = {{ sssd_schema }}
ldap_uri = {{ sssd_uris | join(',') }}
ldap_tls_cacertdir = /etc/ssl/certs
ldap_id_use_start_tls = True
ldap_tls_reqcert = never
{# search configuration #}
ldap_search_base = {{ sssd_search_base }}
ldap_default_bind_dn = {{ sssd_bind_dn }}
ldap_default_authtok_type = password
#ldap_default_authtok = ... # See conf.d/default.bind.conf
cache_credentials = True
entry_cache_timeout = 5400
## Filter
# LDAP
#access_provider = ldap
#ldap_access_order = filter
#ldap_access_filter = (memberof=cn=groupeA,ou=Groupes,dc=domain,dc=tld)
{# mapping/attribute configuration #}
override_homedir = {{ sssd_home_path }}/%u
krb5_realm = #
# Simple
#access_provider = simple
#simple_allow_groups = groupeA,ou=Groupes,dc=domain,dc=tld
ldap_user_uuid = entryuuid
ldap_group_uuid = entryuuid
enumerate = False
[nss]
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
homedir_substring = /home
[pam]
reconnection_retries = 3

4
vars/debian.yml Normal file
View File

@ -0,0 +1,4 @@
---
# vars file for Debian-based distros
sssd_pkg_list:
- sssd